[Palo Alto]Bytes needed for unknown-tcp


I have a rule that uses icmp/ping/traceroute as application, and the service is Any instead of the correct “application-default”, nmap will show that a lot of ports are opened.

I use a telnet to the target with the port, and keep pressing enter to send data over the firewall.

the firewall requires enough bytes to determine which application the traffic is allowed, the magic number is between 450 and 465 bytes.

firewall when receiving 450 or 465 bytes will give up identifying the application and mark the traffic as unknown-tcp and drops the traffic.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s